New API methods and changes to existing API methods

    To facilitate the solution new API methods have been created and existing methods for customer actions that require SCA (exemptions may apply - see Appendix) have been amended.

    Response Codes

    The following new response codes have been added for SCA:

    Code Description
    900 SCA needs to be performed.
    901 User blocked; Access not allowed for this user.
    902 Failed to send OTP.
    903 SCA request does not exist or expired.
    904 User blocked due to multiple fail OTP attempts.
    905 OTP verification failed; Multiple Invalid attempts will block the account.
    906 Incomplete Cardholder contact Information. Please Update the contact details and then resend the request.
    907 Login not allowed using this method as SCA required.
    908 OTP verification is pending
    000 Exemption applies, SCA not required

    API flow

    The Client will need to provide the UI on their portal for the customer to input the OTP which will be submitted to Contis by calling the new Authorize method. If the OTP matches successfully against the original API request Contis will provide ReferenceID in AuthorizeInfo.

    See OTP delivery section for information on how OTPs can be provided.

    For example:

    If a customer initiates a payment with no exemption applicable, the client will be required to call the Authorize API method after getting a 900 response from Account_BankWithdraw API method.

    Resend OTP

    The Client needs to provide Resend OTP functionality to their Customer if they do not receive it or use within 5 minutes (maximum validity) which will be achieved by calling RegenerateSCA API. This method can be used to send a new OTP up to a maximum of 4 times.

    Account Access Block

    A Customers account access will be blocked if they fail to enter an OTP correctly 5 times or exceed the maximum number of OTP resends. Account access can be unblocked via an API if the Customer passes the Client’s own security checking procedures.

    Inactivity Timer

    Basics of the inactivity timer

    • Contis needs to end the API session before 5 minutes of inactivity (290 seconds) from the account holder in the portal – this will log the customer out of the Contis elements of the portal.
    • The SDK_PostLoginDetails API allows clients to tell Contis that the account holder is still active within the portal in order to refresh the 5-minute inactivity timer to allow the customer continued access.
    • If the customer has been inactive for 5 minutes (300secs), they are timed out and clients have to make a call again using the same method.
    • Trigger the refresh timer – 4 mins 30 seconds (270 seconds) to a 4-time maximum only
    • Maximum inactivity per session – 25 mins (1500 seconds)

    Table of updated existing API methods

    The table below details the existing API methods that now have the 900 response, i.e. SCA is required (unless exemptions apply).

    Dev Portal Controller

    Web Method Name

    API description

    SCA Customer Event

    SCA Description - see appendix for detail on exemptions

    Account

    ListTransactions_Account

    Returns a list of cleared transactions.

    Historical Transactions (> 90 days)

    SCA required if more than 90 days transactions are requested and customer has not performed 2FA login in last 90 days

    Account

    UnloadConsumerAccount

    Debits the specified amount from the customer's account and credits it to the programme holding or funding account.

    Transfer

    SCA required if customers transfer money from customer account to another Contis account - programme holding or funding account (exemptions may apply)

    Consumer

    UpdateConsumerContactDetails_Consumer

    Updates the customer’s mobile number, email address and address.

    Update Contact Details (Mobile or Address)

    SCA required when a customer changes their mobile phone number or address

    P2P

    PayRequestedMoney

    Enables the payment request recipient to pay the requested money to the beneficiary.

    Pay Request Money

    SCA required when a customer as the payment request recipient if paying the requested money to the beneficiary (exemptions may apply)

    P2P

    SendMoney

    Sends money from the customer’s account to the recipient account.

    Send Money

    SCA required when a customer sends money from their account to a recipient account (exemptions may apply)

    P2P

    SendMoneyByEmailAddress

    Transfer money from the customer to the payee account using the recipient's email address.

    Send Money

    SCA required when a customer sends money to the payee using the recipient’s email address (exemptions may apply)

    P2P

    SendMoneyByMobileNumber

    Transfer money from the customer to the payee account using the recipient's mobile phone number.

    Send Money

    SCA required when a customer sends money to the payee using the recipient’s mobile phone number (exemptions may apply)

    P2P

    SendMoneyByUserName

    Transfer money from the customer to the payee account using the recipient's username.

    Send Money

    SCA required when a customer sends money to the payee using the recipient’s username (exemptions may apply)

    P2P

    SendMoneyByIBAN

    Transfer money from the customer to the payee account. The money is immediately credited in the beneficiary account using the IBAN (International Bank Account Number ).

    Send Money

    SCA required when a customer sends money to the payee account (immediate credit) (exemptions may apply)

    P2P

    Transfer

    Transfers funds from the customer's account to the recipient account if the amount is available in the customer's account.

    Third-Party Transfer

    SCA required when a customer sends money to the payee account (exemptions may apply)

    StandingOrder

    SetupSOReceipent

    Create an internal or third party standing order by specifying the recipient.

    Add Standing Order

    SCA required when a customer creates a standing order

    StandingOrder

    SetupSORecipientBank

    Create an internal or third party standing order by specifying the recipient’s bank account.

    Add Standing Order

    SCA required when a customer creates a standing order

    StandingOrder

    UpdateSODetails

    Updates the details of an existing standing order.

    Edit Standing Order

    SCA required when a customer amends a standing order

    Transfer

    BankTransfer

    Transfer funds from a Contis customer to an external bank account if the amount is available in the customer's account.

    Bank Transfer

    SCA required when a customer transfers funds from their account to an external bank account (exemptions may apply)

    Account

    Account_GetBalance

    Returns the latest balance of the given account. Displays balance of secondary account(s) linked to the primary account. If a subaccount parameter is passed, then it returns the balance of the specified account number.

    SCA required if balance is requested and customer has not performed 2FA login in last 90 days

    Table of new API methods

    The table below details the new API methods that support the SCA via OTP solution.

    Dev Portal Controller

    Web Method Name

    API description

    SCA Customer Event

    SCA Description - see appendix for detail on exemptions

    P2P

    UpdateBeneficiaryStatus

    Enables the customer to apply or remove trusted beneficiary status to a payee account. Customer must have made at least one successful payment to the payee before this action can be performed.

    Edit Beneficiary Status

    SCA required when a customer applies or removes trusted status to a beneficiary. Making a beneficiary trusted means a customer does not have to undertake SCA on subsequent payments. Thus this becomes one of the exemptions detailed against existing APIs. Customer must have made a least one successful payment to a beneficiary before they can be made trusted.

    Transfer

    UpdateBeneficiaryStatus

    Enables the customer to apply or remove trusted beneficiary status to a payee account. Customer must have made at least one successful payment to the payee before this action can be performed.

    Edit Beneficiary Status

    SCA required when a customer applies or removes trusted status to a beneficiary. Making a beneficiary trusted means a customer does not have to undertake SCA on subsequent payments. Thus this becomes one of the exemptions detailed against existing APIs. Customer must have made a least one successful payment to a beneficiary before they can be made trusted.

    Security

    RegenerateSCA

    RegenerateSCA method is used to generate SCA again, if Authorize method fails to perform SCA due to of wrongly entered data. This method authenticates the consumer and submit the earlier pending API request. If ResponseCode = 000 (Success), then the API request has been executed successfully. If any validation failed, Contis will return error code with error description in API response. For more detail refer Parameter value of ResultObject mention in this document.

    For clients using API SCA solution only via OTP:
    Following a customer request to re-sends an OTP this method resends an OTP specific to SCA reference number. Customer can request a resend up to a maximum of 4 times. The initial OTP is sent in the first 900 response.

    Security

    Authorize

    Authorize method is used to perform 2nd factor authentication of consumer depending upon SCA type of a consumer set at scheme settings. i.e. If SCA type of a consumer is set as OTP, SCA will be performed using OTP.

    Authorisation

    For clients using API SCA solution only via OTP:
    Method used to pass OTP back to Contis to authorize the SCA request.

    Consumer

    UnblockConsumerLogin

    Unblocks the customer's account access

    Customer account access must be blocked if the customer exceeds the maximum number of failed authentication attempts to complete SCA. This API enables a client to unblock a customer account if they pass the necessary security via clients own rules to unblock the account.

    Security

    PostLoginDetails

    This method is used to trigger the SDK for 2nd FA of customer login to client app, advising Contis of what SCA compliant factors have been used for customer login (where client managed) and inactivity timer management.

    Login

    This method can do 3 things:
    1) Trigger the SDK for 2nd FA of SCA for customer login to client app (optional – clients can manage their own 2FA SCA compliant login journey)
    2) Advising Contis of what 1st FA has been used for customer login to client app (mandatory) and what 2nd FA for customer login to client app (optional)
    3) Inactivity Timer – lets Contis know that a customer has successfully logged in and remains active with the client portal/app which is required to meet inactivity criteria. See appendix for more details